Well, the short story of this v3 format of CSP, it’s easy with some know-how to implement it. In production mode, where “Analytics”, FBEvent are loaded via a .js file. It won’t work (At least for now, I’ll update the posts when I found the trick).

Let’s talk about the CSPv3 format. It’s far better than the CSPv2 format where you have to explicit tell the HTTP-Server which “sites” are allowed. In v3 you can use nonce, what a wonderful idea. In production mode, well you will find several problems, like Analytics won’t get loaded (document.createElement doesn’t have “nonce”), and I’m pretty sure if it will ever have! Code-Injection a.k.a facepalm. Site-Note: It would be not “Secure” if you can inject any code via console, why you want CSP at all… Of course you can trigger the Analytics code via WordPress injections, but this won’t be anymore async… Well complicated.

Now what I’ve came up by my research snipping a plugin together. First, make the mu-plugins folder, than add the plugin (Within the folder).

What it does?

It reads the complete output-buffer, and change it the script/style tags to a valid nonce tags. That’s it.

Errors/Limitation?

There are currently to many, any “HTML Optimizer” use the same process like this code (Yes, since the WP core-developer missed the inline-script or localization-scripts.. there are currently no another ways.). This means Autoptimize, W3-Cache etc. won’t work. WP-Admin throws many CSP Errors and the Media-Uploader Popup is showing.

We use Google Analytics to collect information about visitor behavior on our website. Google Analytics stores information about what pages you visit, how long you are on the site, how you got here and what you click on.

We use Facebook Pixel to determine results from Facebook Ads and sponsored posts that we run on the Facebook network. If you have visited our website from one of these ads, a cookie will be stored to confirm how you got here and what you click on.